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METHOD ANdIvI^^ FOR AUTHENTICATION THROUGH A COMMUNICATIONS PIPE 



Fi^lri of Invention 

The present invention relates to a data processing method for end user 
authentication over a network for purposes of obtaining secure functions or data from one 
or more remote computer systems. More particularly, the invention relates to a method of 
authenticating an end user to multiple remote computer systems using a communicafons 
pipe and a. personal security device. 

Rar.k qround of Invention 
One of the simplest and most commonly used authentication methods employed 
is the static password, whereby a client computer challenges an end user for a pre- 
determined password. Once the end user provides the correct password, access .s 
permitted to secure functions or data available on one or more remote computer systems. 
A significant limitation of the current art is that localized authentication transactions are 
potentially vulnerable to compromise by unauthorized programs running on the local 
client or by other illicit means intending to monitor the password authentication process, 
in a single point authentication process, once a point of entry to a network .s 
compromised, all locations using the same security codes are generally compromised as 
well. 

one security method commonly used to overcome single point authentication 
failures employs the use of separate static passwords for each pre-determined secure 
resource While this method is an improvement over a single multi-use password, this 
method is still vulnerable to illicit password monitoring, requires an end user to remember 
multiple passwords, and inefficiently ties up network resources by repeating the entire 
authentication process each time access to a different secure resource is requested. 

Also, as a practical consideration, requiring an end user to remember several 
different passwords typically results in the same password being used for all secure 
resources, hence defeating the entire purpose of performing multiple authentications 

using static passwords. 

A more sophisticated approach than the previously described methods, involves 
the use of personal security devices (PSD) such as smart cards, which allows storage of 
multiple credentials, passwords, certificates, private keys. etc. By implementing the use of 
smart cards, the ability to compromise passwords is significantly reduced. However. 
PSDs are still somewhat vulnerable to illicit monitoring during local client cryptographic 
key generation as described in the background of the invention section of cross- 
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. .-.cation OCL-1. "Method and System for Establishing a 

.eferenced ^-^l^^^^^^;^ oev.ce." An addition, .imitation of this 

Remote Connection To a Personal j authenticating 

.eo^od becomes appa^nt when a«en,p«ng to pe-fonn m*P 

..„.act,ons using a singie PSO ovet ^ "^^^^^^^ ^'l^J, ^ 
sena, device, on,, aiiows one transaCon to ^"^ "^l,^ ^„,,,„a«o when 

remote computer system during authentication with the PSD. 

filimmarv nf Invention 

In order to pertorm previously described in cross- 

^^en a remote computer system ..J^^.^^, ;3,„ ,,.„i.hing 

r^ltTraT^^eour^y Device.- A remote computer system 

;:::rr;:i:sendsana— ^^^^^^^^^^ 
:s.:,:ra:rrser:= 

^r pertorms the initia, .ent — ^ ttThe 

— chaitenges -';2\ZZ:ZrS.: ^•^^•^ autnentica^on 
0 within the secure domain of the PSD. then challenging 
code back through the communications prpe over a network 

'^""'TTtld^mbodiment o, mis invention, the remote computer system 
. Lre hub performs the initial client authentication then copies, ,f not 
established ^ credentials mrough the communications pipe to 

35 already present, the PSD s authentic transferred 
a secure storage location within the secure hub. The secure 
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remote computers systems over °\ J ^^^^^^^^3, p3tent application. 

There are i^iportantly. authentication transactions are only 

a remote computer system designated as a s^ure hub. 

A^^itinnal securitv improvements may be facilitatea oy mu 

and HSM. 

RriPjf nescri p""" nravtfings 
F,G 1 .isageneratsys.emb,ocKdiagram.or,mp,ementin8presen,inver,t,on. 
FIG. 2 - is a detailed block diagram iilust,aflr,g ini«al au.hen«ca«on ohailerrge. 
" FIG 3 - is a detailed block diagram illustrating Initial authentication. 

F,G. 4 - IS a detailed block diagram illustrating remote authentication challenge. 
FlG 5 - is a detailed block diagram Illustrating remote authentication. 
FIG 6 - is a detailed block diagram IllustraBng authentication credential transfer. 
FIG 7 - is a detailed block diagram illustrafing remote au,hen«ca«on challenge 
(Alternate inventive embodiment.) 



8 - IS a detailed biooK diagram i„u*a«n, remote authentication (Aitemate 
inventive embodiment.) 

n^..i.aH nescrip""" Preferred Embodiment 

The steps involved in performing authentication through a communications pipe 
The steps invoiv h ^t- ..ro i is a aeneraiized system block diagram. 

remote computer system established as a ^ ^ ^ ^ communications 

authentication challenges, rather than directing challenges through th 

■ . th. PSD for processing. Characters shown with a pnme sign (e.g. C ) indicate 
pipe into the PSD for processing ^^^^^ 

"'^""nt'r.G. a .eneraii^ed system .oc. diagram o. tHe inve*n 
Here 0 and a connected Persona, Security Device 40 is connected over a 

m a remote computer s . em .0 using a ^^'^^^^^Zll^, 

'-:rj:::::::^Tj:::z^^^^ — „ as described 

rr .0 seirautnen„ca.on requests n,ade b, otber remote computer systems sen. 
""^'^rtirlputer system .0 is an example c, a system re,ui.ng 

— -:r;;irrc=^^ 

ZZrZlZZ^ no. centre, ncn-secure transac„ons occu.ng oyer 

^'^^'=:rrZrrj= 

Tom the drawing. Transactions no, inyo,»ing au.hen«ca.,ons are not restncted to the 
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The basic operation of the secure hub may be initiated when an end user at a 
Client requests access to secure functions or data contained on one or more remote 
computer systems connected by a network. An available remote computer system, .n 
Which a communications pipe has been established as described in co-pend.ng 
application OCL-1. authenticates the end user and client using the security mechan.sms 
contained within the secure domain of the PSD. Alternatively, an externa, event such a a 
need to update information within a PSD may trigger a remote computer system other 
than the secure hub to initiate the authentication process. 

once an initial client authentication has been accomplished by the remote 
computer system, subsequent authentication challenges transmitted over a network 45 or 
45A made by other remote computer systems are directed to the remote computer 
system 50 acting as a secure hub and depending on which embodiment of the .nvent.on 
employed, are either routed through the appropriate communications p.pe 75 to PSD 
or are directly authenticated by the remote computer system 50. 

Referring to FIG. 2. to establish a secure hub. a Client 10 causes an 
authentication challenge to be generated on a remote computer system 50. by reques .ng 
access to secure functions or data over a network 45 or 45'. Upon rece.v.ng t e reques 
from Client 10. remote computer system 50 generates an authentication challenge 205 
wlln a secure domain designated as authentication routine 65. The authent.cat.on 
Challenge is processed by an API level program 100 and routed 200 to an A DU 
interface 55 for translation into an APDU format. The APDUs are then sent 220 to a 
security Module 225 for encryption. The encrypted APDUs are then routed 230 to a P.pe 
Server 70 for encapsulation into outgoing messaging and sent 210 to 
communications programs 105 for transmission over the communications p.pe 75. 
through the network 45 into the network interface 130 of the client 10. The .ncom.ng 
messages are then routed 240 to communications programs 105 for process.ng. 

Following processing, the messages are sent 250 to a pipe client 15 for 
separation of the encapsulated APDUs. The APDUs are then sent 260 through a 
halare device port 5 assigned to a PSD Interface 25. PSD Interface 25 routes the 
incoming APDUs into the PSD 40 via connection 30. where it is subsequently decrypted 
and processed within its secure domain 35. 

Referring to FIG. 3. once PSD 40 has processed the authentication challenge 
within the secure domain of the PSD 35. an authentication response message .s 
generated using a pre-established cryptography method. 

The authentication response is sent in APDU format from PSD 40 through 
connection 30 and into PSD interface 25. The PSD secure response is then routed 370 
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.,00.. .a.»a.e aev,ce po« 5 an- sen. 360 .o P,pe *n. 1 S p^ce..^^^^^^^^^^ 

r:::— - o... .... -^e. 

Tmessage packets 340 contaWn, .he encapsulated APDUs are ,.nsn„«ed 

.,t.H APDUS from the network 45 via a network interface card (I/O) 130 
rrne^^^^^^^^^^ 3,3.. .co... ™ssa,es a. p,o.ss^an. 
r !1 usinfl pre-established cyptography method employed ,n the secure 
decrypted usmg «.e pre com,.„ica,ons Programs 105 and routed 

communications p,o«co by me ^^^^ ^^^^^ 

310 into the Pipe Sen,er 70 for seoire ^^^^^ ^^.^^ ^ 

are sent 330 to the Security Module 325 tor aecrypuu 

pre. stahllshed cryptography method. The dec^ted APOUs - " ^ 
Lou interface 55 tor processing and transla«on Into a higher-level "^J^^*^^^^ 

'° --\--:rar:rrerr:::n:— 
::rhra::ni":.heenduser^^^ 



or data 



Reternng to FIG. 4, once the secure hub has been established as p.e«us 
descHbeT remote aumentication o. additional remote computer systems may be 
.rmXed. Remote authentication may be initiated either by a ollenfs re,u^.Jo^ 
a^^rs to secure .unctions or data or by other remote computer systems to pertcrm 
transactions within the secure domain of a PSD. 
3 TO pertom. a remo.e au.hen«ca.lon. a chal^nge 85 is Issued by a second remo.e 

compu.er sys.em 1=0. The challenge is routed over a networK 45, into the secure hub 50. 

nccmlng challenge Is processed and decupled in the secure hub 50 using e^ .^ 
es«ished cryp.ography me.hod employed In *e secure communicahons p otocol by 
hts nlr-side Communlca«ons Programs 105 and routed 85 to an API ,e.el program 
30 1 00 lere It Is processed and routed 400 to an APDU interface 55 .or transla«on into an 
Ipor 0 mat The APOUs are then sen, 420 to a Security Module 425 ,or encryp.o„^ 
l encrypted APOUs are «,en routed 430 to a Pipe Server 70 .or encapsulaUon ,r.o 
I ;:„; messaging and sen, 410 to the con^munications programs 105 'O' - 
over me communications pipe 75, mrough the ne^oric 45 Into me network intertace 130 
35 of the client 10. 
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The incoming messages are .hen routed 440 .o a comn™unica«ons pr^^nns 105 

:::: r::: :;;ro"4o .a — « . s.se..e„. ...ea 

-^"--^C:::^':^"^^^^- .as processes .e a— n c.a„en.e 
„Wn ml sJre domain o, .he PSD 35, an aumen,ica«on response message ,s 
rlra^ us ng a pre-es-aMshed ^ptography memod. The au«,en«oa«on response , 

n APDU ,1a. from PSD 40 .hrough connec«on 30 and ..o PSD ln.er^oe 5. The 
PSD Lcure response ,s ,hen rou.ed 570 mrough hardware device port 5 and sen 560 o 
Tprcilen. 5 ,or processing and encapsu,a«on. The resu«ng message pacKe.s are 
Ten Ten?550 .0 *e C,ien,-side Communica^ons Programs ,05 ,or processmg. 

zz ing a ^^-^-::-~^:-rs=:z 

rcaptrr::; : ne.V45 . ne,.r. in.er.ce card 

'^e Remo.e Compu.e, S,s.em 50, receives .he message pacKe.s 535 co^aining 
me encapsulated APDUs from me ne^orK 45 via network in.ertace card (l/O, ,30 
: .ailed on the Remote Computer System, The incoming messages are ^oo^s^ and 
decn/Dted using the pre-esteblished cryp.ography me.hod employed .n me secure 
Tm" P-:. hy me server-side Communica.lons Programs ,05 and ro^ 
5,0 ,n.o me Pipe Server 70 for secure APDU ex.rac.ion. The exUacted secure APDUs 
aL en. 530 .o me Securi.y Module 525 ,or decypUon o, me secure APDUs using he 
. pl^Lshed c^p.ography memod. The decked APDUs are men -ujed - o ^ 
APDU ln.er,ace 55 for processing and .ransia«on in.o a higher-leve, fomra. and sen. 500 
'o AP, Level programs ,00 for processing. Aumentlcation ».odu>e 65 wimin .he se^re 
1 r mams inale duhng me .ransfer o, aumen.ica«on ln,om,a.on, a^hen^oa.on 
Isponse message is .hen rou.ed 85 ,n.o me Communica«ons Programs ,05 whe^ *e 
,„ Jponse IS sen, over me network 45 .n a pre-established secure communications 
protocol to me challenging remote computer system 150. 

The incoming response message is decupled and sent to an Authentic t,on 
Module 95. I, aumen«ca.on is successful, me remote computer ^VS.emJ50 a«ow 
access .o secure funcUons or da.a. If au.hen.ca.ion fails, .he end user will he unable .o 
35 access secure functions or data. 



Refemng .0 F,G. 6 depicts an a«ema.e embodimen, o. .hs curren. ,nven«on 
„,ere L a Ja co.puta, systa. 50 as«shed as a secura hub .ranaters cop,as o 
Te P8D . aaden«a,s C 35, 1, no. pra-exisUn, on *s sacura hub. Td ^"^"^^ 
an «a, au.henBca«on .anaaCion is perfo^ad by a rennCa ccn,pu.ar sya am 
, ratp;:v,<;us,y daschbad. Poiiov^na au,han.ica«on, add.ona, commands ara sen. by 
the remca computer system 50 to transfer the specified cradanfals. 

^he cradantiais are generated using a pra-astabiishad cn,p.ograp y method a 
sent in APDU format from PSD 40 through connection 30 and into PSD interface 5. The 
"sD ecure response is than routed 670 through hardware device port 5 and sen 660 to 
„ Te Prciient 5 for processing and encapsuiation. The resulting message pacKets are 
Tan sln^ 650 to tha Ciiant-side Communica«ons Programs ,05 for process,ng, 
enTrypI using a p,e-es.ab,.shed secu. communications protoco, and incon,orat,o 
ntroutgoing message paCets 640. The massage paCats 640 ^"^^ 
elpsuLed APDUs are transmitted 75 over the netwoM. 45 via a network .nterface card 

" '^The Remote Computer System 50, receives the message pacKets 635 comaining 

the encapsulated APDUs from ma netwodc 45 via networK interface card (l/O) 
installed on the Remote Computer System. , ui- h 

The incoming messages are processed and dac^pted using the P-^'^'^'-^^- 

,„ cryptography mamod empioyad in the secure communica«ons protocol by the server-s^a 
CoLunicalns Programs 105 and routed 610 into tha Pipe Sa^ar '° J™ 
extracson Tha extracted secura APDUs are sen. 630 to the Secunty Module 625 for 
d~n Of «ia secure APDUs using the p.-es.b,ished c^ptography mamod. The 
dZptad APDUS are .hen rou.ad 620 .o me APDtJ ,n.arface 55 for processmg and 

. Zl tion into a highar-levai fomiat and sent 600 to AP, 7^-;/ ° - 

processing and subsa,uan»y sen. 605 .0 me Auman«ca.on Module for sacu^ 
storage and future use. The transferred aumentication in.cm.a*on ,s shov.n ,n FIG. 

' ,n FIG 7 an authen«ca.ion challenge 85 Is sen. by a remote computer system 
30 1 50 over a nah-or. 45. Remote Computer Sys.am 50 receives .he incoming challenge 85 
lom .he net.o,K 45 via neW«rK interface card 130 installed on the RemCa Comp er 
Sys.em The incoming challenges 85 are processed and decryp.ed using .he pre- 
. eLbiished crypiography method empioyad in me secura communications protocol by 
Ts" er-sid:communica«ons Programs 105 and routed .0 AP, Level programs 1 for 
3S processing. The processed challenge is man sen. 705 ,0 the Authentication Module 65 



,o, au.hen.lca«on using .he PSD's 10 Uansferred credentials O' ^6: The comn.un tons 
Pipe 75 may remain intact duhng this process to ailow for other transact,ons to oc ur. 

ReLng to FIG. 8, the secu. hub 50 generates an authen«ca«on reply w,th,n 
the Authentication Module 65 which is sent 805 to the API Level Progranns 100 fo 
Trlc^ssing and subsequently routed 810 .0 the Server-side Communications Program 
Z p ocesslng, encryption using a pre-established secure communlca«ons protocol 
d : or;oratlon into outgoing message pacKets. The message pacKets are routed over 
he network 45 to the challenging remote computer system 150. The incoming messa es 
: decrypted and the authen.lca«on rep. p^cessed by an «t^n.,ca^on 
module 95. I. au«ientlca.lon Is successful, the remote con^puter ^V^*--;'" 
access to secure functions or data. If aumentotlon falls, the end user w,li be unable to 
access secure functions or data. 

The foregoing described embodiments of the inven^on are provded as 
illustrations and descriptions. They are not intended to limit the Invention to precise fom, 
destribed in particular, . is contemplated ma. functional implementation of the ,nvent,on 
described herein may be implemented e,ulvalen«y In hardware. so«ware, firmware^ 
and/cr other available .uncBona, components or building bloCs. Other 
embodiments are possible In light of above teachings, and it Is not .ntended tha, this 
DeLled DescrlpBon limit the scope of invention, but ramer by the Claims following 
herein. 



